What is the best way to refer to files outside of the nix config from within the nix config

I have a couple of questions on how to reference files that arent a part of the nixos config. Mostly things like secrets and certificates.

For secrets I am using sops-nix while I know how it works in a cursory way and I have made it work but Im unsure where these generated files get placed and what the best ways are to reference them.

So where does it place it place these files and in what ways can I reference them?

I am referencing keys from user and etc directories using sops-nix but Im not sure if its the best approach since anything outside the scope of the nix-config is considered “impure”. I can get around this using tools like cat and symlinking but is this a good approach?
Also:
What is for nix considered pure or impure and how does it decide that?

Finally wheres the best place to files that aren’t a part of the nix config but do needed to be referenced by the nix config?

I can answer my first question.
secrets are set in /run/secrets/…
and how to reference them was through that directory.

/run/secrets but for coding purposes you don’t need to know that.

config.sops.secrets.<secret>.path

If you’re using flakes, anything not part of the flake or the nix store, but that you’re trying to inject in, is impure. At least if the nix evaluator needs to access the file. envvars and absolute non-store paths are always impure.